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Abstract 

This  paper  formalizes  some  proofs  by  Clarkson  and  Schneider  about 
hyperproperties.  The  proofs  are  mechanically  verified  using  the  proof 
assistant  Isabelle. 


1  Introduction 

Properties  are  sets  of  execution  traces,  and  hyperproperties  are  sets  of  prop¬ 
erties.  This  paper  formalizes  Clarkson  and  Schneider’s  theory  of  hyperprop¬ 
erties  [3]  using  Isabelle/HOL  [4].  We  present  human-readable,  mechanically- 
verified  proofs  of  the  propositions  and  theorems  in  [3] — except  those  related 
to  topology,  which  we  leave  for  future  work.  The  proofs  given  here  are  for¬ 
mal  analogues  of  informal  proofs  that  were  given  in  a  previous  technical 
report  [2].  Thus,  in  addition  to  verifying  the  propositions  and  theorems,  we 
have  also  verified  the  original  proofs  themselves. 

This  document  was  produced  from  RTRX  output,  which  was  generated 
from  Isabelle  theory  files.  Those  theory  files  are  available  for  download 
from  the  same  URL  that  hosts  this  technical  report  [1].  The  numbering  of 
propositions  and  theorems  in  this  document  follows  the  numbering  in  [2,  3]. 


‘Supported  in  part  by  AFOSR  grant  F9550-06-0019,  National  Science  Foundation 
Grants  0430161  and  CCF-0424422  (TRUST),  and  a  gift  from  Microsoft  Corporation. 
Denis  Bueno  is  supported  by  a  Sandia  National  Laboratories  Fellowship;  Michael  Clarkson 
is  supported  by  an  Intel  Foundation  PhD  Fellowship. 
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theory  HyperDefs 

imports  Main  LList2  LaTeXsugar  OptionalSugar 

begin 

notation  {}  (0) 

2  Definitions 

typedecl  state 

—  An  abstract  notion  of  a  state. 

types  trace  =  state  Hist 

—  Traces  are  (possibly  infinite)  lists  of  states. 

consts  States  ::  state  set  (S) 

—  An  abstract  set  of  states. 

consts  BottomState  ::  state 
syntax  (latex) 

BottomState  ::  state  (_L) 

consts  DummyState  ::  state 

We  assume  the  existence  of  one  DummyState,  which  is  used  by  Theorem  3 
and  Proposition  3. 

axioms  Dummy State-is- State:  DummyState  €  E 

constdefs 

psi-fin  ::  trace  set  (Tfm) 

Tfin  4  E* 

psi-inf  ::  trace  set  (Tinf) 

Tinf  ^  S- 

T  ::  trace  set 

T  —  Tfin  U  'ifinf 


types 

property  =  trace  set 
hyperproperty  =  property  set 
constdefs 
Prop  ::  property  set 
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Prop  =  Pow  Winf 


HP  ::  hyperproperty  set 
HP  =  Pow  Prop 

consts 

property-satisfies  ::  trace  set  =>  property  =>  bool  ((-  |=  -)  [80,80]  80) 
hyperproperty-satisfies  ::  trace  set  =>  hyperproperty  =>  bool  ((-  |=  -)  [80,80]  80) 

defs  (overloaded) 

property-satisfies-def :  ts  |=  p  =  ts  C  p 

hyperproperty-satisfies-def :  ts  \=  h  =  ts  £  h 

constdefs 

property-lift  ::  property  =>  hyperproperty  ([[  -  ]]  80) 
property-lift  p  =  Pow  p 
notation  property-lift.  ([  -  ]  80) 

constdefs 

trace-set-prefix  ::  trace  set  =>  trace  set  =>  bool  (infix  <  80) 
trace- set-prefix-def : 

T  <  T'  =  V  t.  t.  G  T  — >  (3  t'.  t'  G  T'  A  t  <  V) 

Obs  ::  trace  set  set 

Obs  =  {ts.  ts  C  a  finite  fs} 

sp  ::  property  =>  bool 
sp  P  =  P  G  Prop  A 

(V  t  G  tfinf.  t  i  P  - » 

(3  m  G  'I'fin-  m  <  t  A 
(V  f'  G  \finf-  m  <  t'  — *  t.'  £  P))) 

SP  ::  property  set 
SP  =  {P.  sp  P} 

false-p  ::  property 
false-p  =  0 

shp  ::  hyperproperty  =>  bool 
shp  H  =  H  G  HP  A 

(V  T  G  Prop.  T  <£  H  — > 

(3  Mg  06s.  M  <  T  A 
(V  T'  G  Prop.  M  <  T'  — >  T'  ^  #))) 

5-ffP  ::  hyperproperty  set 
SHP  =  {hp.  shp  hp} 

false-hp  ::  hyperproperty 
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false-hp  =  \false-p] 

Ip  ::  property  =>  bool 

Ip  L  =  L  G  Prop  A  (V  <  G  (3  t'  G  I'inf-  t  <  t'  A  t'  G  P)) 

LP  ::  property  set 
LP  =  {P.  Ip  P} 

Ihp  ::  hyperproperty  =>  bool 

Ihp  H  =  H  G  HP  A  (V  T  £  Obs.  (3  T’  G  Prop.  T  <  T'  A  T'  G  P)) 
LHP  ::  hyperproperty  set 
LHP  =  {hp  .  Ihp  hp} 

true- Prop  ::  property 
true- Prop  =  'E'inf 
true-HP  ::  hyperproperty 
true-HP  =  Prop 


end 


theory  Hyper 
imports  HyperDefs 
begin 

3  Proposition  1 

3.1  Lemmas 

lemma  property-lifts-into-hyperproperty: 
assumes  P-Prop :  P  G  Prop 
shows  [P]  G  HP 
using  P-Prop 

unfolding  property -lift- def  Prop-def  HP-def  by  blast 

3.2  Proposition 

theorem  proposition-l-oif : 
assumes  S-Prop:  S  G  Prop  and  S-SP:  S  G  SP 
shows  [ S )  G  SHP 
proof 

have  lift-S-HP:  [5]  G  HP 

using  S-Prop  property-lifts-into-hyperproperty  by  blast 

{ 
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fix  T  ::  property 

assume  T-st :  T  £  Prop  T  £  [5] 

from  <T  ^  [£]>  have  ->(T  C  S )  by  ( simp  add:  property-lift- def) 
then  obtain  t  where  t-st:  t  £  T  t  (j  S  by  blast 

have  3  m.  m  £  'E'fin  A  m  <  t  A  (V  t'  £  m  <  t'  — ■>  t'^S) 

proof 

from  t-st  and  T-st  have  t-psi-inf:  t  £  'lA,,f 
unfolding  Prop-def  by  blast 
with  S-Prop  and  S-SP  and  T-st  and  t-st 
show  fthesis  unfolding  SP-def  Prop-def  sp-def  by  blast 

qed 

then  obtain  m  where  m-st:  m  £  'f'fln  m  <  t  V  t'.  t'  £  'lAnf  A  m  <  t’ 

t'£S 

by  blast 
let  ?M  =  {m} 

from  m-st  and  t-st  have  M-prf-T:  ?M  <  T 
unfolding  trace-set-prefix-def  by  blast 
with  m-st  and  t-st  have  M-Obs:  ?M  £  Obs 
unfolding  Obs-def  by  blast 


{ 

fix  T'  ::  property 

assume  T'-st:  T'  £  Prop  ?M  <  T' 

then  have  3  t'  £  T'.  m  <  t' 
by  ( simp  only:  trace-set-prefix-def)  blast 
then  obtain  t'  where  t'-st:  t'  £  T'  m  <  t'  .. 
with  m-st  and  T'-st  have  t'-out-S:  t'  f  S 
unfolding  Prop-def  by  blast 

from  T'-st  and  S-Prop  and  S-SP  and  t'-st  and  t'-out-S 
have  T  [5]  unfolding  property-lift.-def  by  blast 

} 

hence  V  T'.  T'  £  Prop  A  ?M  <  T'  — >  T’  ^  [  S  ]  by  blast 
with  m-st  and  M-prf-T  and  M-Obs 

have  3  M.  M  £  Obs  A  M  <  T  A  (V  T’.T’  £  Prop  A  M  <  T’  — >  T'  (£  [S’]) 
by  blast 

} 

thus  fthesis  using  lift-S-HP  unfolding  SHP-def  shp-def  by  blast 

qed 


lemma  prefix-set-has-longest: 
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fixes  t  ::  'a  Hist 

assumes  X-fin :  finite  X  and  X-non- empty:  X  ^  0 
and  X-prefix-t:  V  x  €  X.  x  <  t 
shows  3  m  £  X.  (V  x  £  X.  x  <  m) 
using  prems 

proof  ( induct  X  rule:  Finite- Set .finite-ne-induct) 
fix  x  ::  'a  Hist  show  3  m  £  {x}.  \/ x  £  {x}.  x  <  m  by  blast 

next 

fix  x  ::  'a  Hist  and  F::'a  Hist  set 

assume 

R:  V  x  £  F .  x  <  t  =>  3  m  £  F.\/  x  £  F .  x  <  m 
and  t-upper-bound :  \/  x  £  insert  x  F.  x  <  t 

then  obtain  m  where 

m-in-F:  m  £  F  and  m-le-t:  m  <  t  and  x-le-t:  x  <  t 
and  m-max-F:  V  x  €  F.  x  <  m  using  R  by  ( auto  dest:  R) 
from  m-le-t  x-le-t  have  m  <  x  V  x  <  m  by  ( rule  pref-locally-linear) 
thus  3m  £  insert  x  F .  V  x  £  insert  x  F .  x  <  m 

proof 

assume  m  <  x  with  m-max-F 
have  V  xa  £  insert,  x  F .  xa  <  x  by  auto 
thus  ?thesis  by  blast 
next  assume  x  <  m  with  m-max-F 
have  V  xa  £  insert  x  F .  xa  <  m  by  auto 
thus  ?thesis  using  m-in-F  by  blast. 
qed 
qed 


theorem  proposition- 1  -if : 

assumes  S-Prop:  S  £  Prop  and  lift-S-shp:  [SI  £  SHP 
shows  S  £  SP 
proof  — 

{  —  Show  that  t  has  finite  bad  thing  m. 

fix  t  ::  trace 

assume  t-st:  t  S  {t}  £  Prop 

then  have  t- out-lift.- S:  {t}  ^  [5]  by  ( simp  add:  property-lift-def) 

obtain  M  where 

M-st. :  M  £  Obs  M  <  {t}  V  T'.  T'  £  Prop  A  M  <  T'  — >  T'  <£  [S] 
using  t-out-lift-S  and  t-st  and  S-Prop  and  lift-S-shp 
unfolding  SFIP-def  shp-def 
by  blast. 

have  3  ms  £  'f'fin.  ms  £  M  A  ms  <  t  A  (V  m  £  M .  m  <  ms) 
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proof  — 

have  M-pfx-t :  V  nn  £  M.  nn  <  t 
using  M-st  unfolding  t.race-set-prefix-def  by  blast 
have  M-nonempty :  M  /  I 
proof  ( rule  ccontr) 

{ 

assume  M- empty:  ->  M  ^  0 

{ 

fix  T'  ::  property  assume  T'  £  Prop 

with  M-empty  have  M  <  T'  unfolding  trace-set-prefix-def  by  blast 

} 

hence  M-pfx-Prop:  V  T'  £  Prop.  M  <  T'  by  blast 
have  0  £  Prop  unfolding  Prop-def  by  blast 
hence  M  <  0  using  M-pfx-Prop  by  blast 
hence  0  ^  [S’]  using  M-st  and  <0  £  Prop >  by  blast 
have  0  €  [S’]  using  property  -lift.-  def  by  blast 
from  <0  £  [5])  and  <->  0  £  [S’])  have  False  by  blast 

} 

thus  nM^0  =£>  False  by  blast 

qed 


have  M-fin :  finite  M  using  M-st  unfolding  Obs-def  by  blast 
from  this  obtain  ms  where  ms-st :  ms  £  M  V  x  £  M .  x  <  ms 
using  M-pfx-t  and  M-nonempty 

apply  (insert,  prefix-set-has-longest  [where  t=t  and  X=M],  blast) 

done 

hence  ms-psi-fin :  ms  £  'ffin  using  M-st  unfolding  Obs-def  by  blast 
have  ms-pfx-t:  ms  <  t,  using  ms-st  and  M-st  unfolding  t.race-set-prefix-def 
by  blast. 

from  ms-psi-fin  and  ms-st.  and  ms-pfx-t. 

show  3  ms  £  \1/ fin  -  ms  £  M  A  ms  <  t  A  (V  m  £  M .  m  <  ms) 
by  blast. 

qed 

from  this  obtain  m-star  where 
m-star-st:  m-star  €  'f'fin  m-star  €  M  m-star  <  t. 

V  m  £  M .  m  <  m-star 

by  auto 


{ 

fix  t.1 

assume  t.'-st:  {f'}  £  Prop  m-star  <  t' 
let  ?T'  =  {f'} 
have  M  <  ?T' 
proof 
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{ 


fix  m 

assume  m  £  M 

with  m-star-st  have  m  <  m-star  by  blast 

with  t'-st  have  m  <  t'  using  llist-le-trans  by  blast 

} 

thus  M  <  ?T'  unfolding  trace-set-prefix-def  by  blast 

qed 

with  M-st,  and  t'-st  have  ?T'  ^  [S]  by  blast 
hence  t'  £  S  unfolding  property-lift-def  by  blast 


} 

with  m-star-st  have  3  m  £  'Jfin-  m  <  t  A  (V  t'  £  'I'mf.  m  <  t' 
unfolding  Prop-def 
by  blast 

} 

thus  fthesis 
using  S-Prop 

unfolding  SP-def  sp-def  Prop-def  by  blast 

qed 


t’iS) 


4  Proposition  2 

theorem  proposition-2-oif : 
fixes  L  ::  trace  set 

assumes  L-Prop:  L  £  Prop  and  L-LP :  L  £  LP 
shows  [L]  £  LHP 
proof 

have  lift.- L- HP:  [L]  £  HP 

using  L-Prop  property-lifts-into-hyperproperty  by  blast 

{ 

fix  M  assume  M-st:  M  £  Obs 

{ 

fix  m  assume  m-st:  m  £  M 
have  3  t.  m  <  t  A  t.  £  L 

proof 

from  m-st  and  M-st  have  m  £ 
unfolding  Obs-def  by  blast 
with  L-Prop  and  L-LP  and  m-st  show  fthesis 
unfolding  LP-def  Ip-def  Prop-def  by  blast 

qed 

} 

hence  M-more:  V  m  £  M.  (3  t.  m  <  t  A  t  £  L)  by  blast 


let  ?T  =  {tm.  3  m  G  M.  m  <  tm  A  tm  G  L] 
have  ?T  C  L  by  blast 

hence  T-in-lift:  ?T  G  [L]  unfolding  property-lift-def  by  blast 
with  M-more  have  M-pfx-T:  M  <  ?T 
unfolding  trace-set-prefix-def  by  blast 
have  ?T  G  Prop  using  M-st  L-Prop 
unfolding  Prop-def  psi-inf-def  Obs-def  psi-fin-def 
by  blast 

with  T-in-lift  and  M-pfx-T  and  L-Prop 
have  3  T.  T  G  Prop  A  M  <  T  A  T  €  [L\  by  blast 

} 

thus  [L\  G  LHP  using  lift-L-HP  unfolding  LHP-def  Ihp-def  by  blast 

qed 


theorem  proposition-2-if : 
fixes  L  ::  trace  set 

assumes  L-Prop:  L  G  Prop  and  L-lift-lhp:  [L]  G  LHP 
shows  L  G  LP 
proof  — 

{fix  t  ::  trace  assume  t-st:  t  G  'ffm 
let  ?T  =  {t} 

obtain  T'  where  T'-st:  ?T  <  T'  T'  G  [L]  T'  G  Prop 

proof  — 

from  t-st  have  t-Obs:  {f}  G  Obs  using  Obs-def  by  blast 
hence  3  T'  G  Prop.  ?T  <  T'  A  T'  G  [L\ 
using  L-lift-lhp  unfolding  LHP-def  Ihp-def  by  blast 
thus  fthesis  by  auto 

qed 

then  obtain  t1  where  t'-st:  t  <  t'  t'  G  T'  t'  G  'f'mf 
unfolding  trace-set-prefix-def  Prop-def  by  blast 
have  t'  G  L  using  (t'  G  T')  and  (T'  G  [L]) 
unfolding  propert.y-lift-def  by  blast 
with  t'-st  have  3  t'  G  t  <  t ’  A  f  G  L  by  blast 

} 

thus  L  G  LP  unfolding  LP-def  Ip-def  using  L-Prop  by  blast 

qed 

5  Theorem  3 

5.1  Definitions  and  Lemmas 

constdefs 

Safe  ::  hyperproperty  =>  hyperproperty 
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Safe  P  =  {T  G  Prop.  (V  M  G  O&s.  M  <  T  — ► 

(3  T'  G  Prop.  M  <  T'  A  P'  G  P))} 
Live  ::  hyperproperty  =>  hyperproperty 
Live  P  =  P  U  (Prop  -  Safe  P ) 

lemma  Safe-is-HP : 
fixes  P  ::  hyperproperty 
assumes  P  G  PP 
shows  Safe  P  G  III3 
unfolding  Safe-def  HP-def  by  Wasf 

lemma  Live-is-HP : 
fixes  P  ::  hyperproperty 
assumes  P-HP:  P  G  HP 
shows  Live  P  G  HP 
using  P-HP 

unfolding  Live-def  HP-def  by  blast 

lemma  Safe-is-hypersafety : 
fixes  P  ::  hyperproperty 
assumes  P-HP:  P  G  HP 
shows  Safe  P  G  »S'//P 
using  P-HP  Safe-is-HP 
unfolding  Safe-def  SHP-def  shp-def 
by  blast 

lemma  P-subset-Safe-P: 
fixes  P  ::  hyperproperty 
assumes  P-HP:  P  G  HP 
shows  P  C  Safe  P 
using  P-HP 

unfolding  Safe-def  HP-def 
by  blast- 

lemma  stutter-append-is-infinite: 
fixes  x  ::  trace 

assumes  x-fin:  x  G  'tfin  and  s-st:  s  G  S 
shows  (x  @@  Iconst-  s)  G  'f'mf 

proof 

from  s-st  have  Iconst  s  G  infists  S 
by  (ride  Iconst-T  [of  s  £]) 
thus  (x  @@  Iconst  s)  G  'I'mf 
using  x-fin  s-st  lapp-fin-infT 
unfolding  psi-fin-def  psi-inf-def 
by  blast- 
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qed 


constdefs 

aslnfinite  ::  trace  =>  trace 

aslnfinite  t  =  if  LNil  =  t  then  Iconst  DummyState  else  t  @@  ( Iconst  (Hast  t)) 

—  Converts  a  finite  trace  to  an  infinite  trace.  If  the  given  finite  trace  is  non-empty, 
it  returns  a  suffix  in  which  the  final  state  is  infinitely  stuttered;  otherwise  it  returns 
the  constant  DummyState  trace. 

lemma  llast-in-trace- alphabet: 
assumes  t  £ 

shows  t  7^  LNil  — *  Hast  t  £  £  (is  ?P  t) 
using  prems 
unfolding  psi-fin-def 
by  ( induct  t  rule :  finlsts .induct)  auto 

lemma  aslnfinite- correctness: 
assumes  t-fin:  t  £  'hfin 

shows  aslnfinite  t  £  'it m{  A  t  <  aslnfinite  t 
proof  cases 
assume  LNil  =  t 

thus  fthesis  unfolding  aslnfinite- def  p si-inf- def  using  Dummy State-is- State 
by  ( simp  add:  IconstT  [of  DummyState  £]) 

next 

assume  t-positive:  LNil  7^  t 

with  t-fin  have  res-inf:  aslnfinite  t  £  d/ ;nf 

proof— 

have  Hast  t  £  £  using  t-positive  t-fin  llast-in-trace- alphabet  by  simp 

moreover 

have  Iconst  ( Hast  t)  £  4,inf 

using  t-fin  t-positive  (Hast  f  €  £)  unfolding  psi-fin-def  psi-inf- def 
by  ( simp  add:  IconstT  [of  Hast  t  £]) 

moreover 

have  t@@lconst  ( Hast  t)  £  'l>inf 
using  t-fin  (Hast  f  €  £) 

by  ( simp  add:  stutter- append-is-infinite  [oft  Hast  t]) 

ultimately 

show  aslnfinite  t  £  ’hinf  unfolding  aslnfinite- def 
using  t-positive  by  simp 

qed 

from  t-fin  and  t-positive 
have  t  <  aslnfinite  t 

unfolding  psi-fin-def  aslnfinite- def  using  le-lappend  by  simp 
with  res-inf  show  fthesis  .. 
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qed 


lemma  Live-is-hyperliveness : 
fixes  Pr.hyperproperty 
assumes  P-HP:  P  £  HP 
shows  Live  P  £  LHP 

proof 

have  Live- HP\  Live  P  £  HP  using  P-HP  Live-is-HP  by  blast 

{ 

fix  T  assume  T-st :  T  £  Obs 

have  3  T'  £  Prop.  T  <  T'  A  T'  £  Live  P 

proof  cases 

assume  3  T'  £  Prop.  T  <  T'  A  T'  £  P 

then  obtain  T'  where  T'-st :  T'  £  Prop  T  <  T'  T'  £  P  by  blast 
hence  T'  £  Live  P  unfolding  Live-def  by  blast 
thus  ?thesis  using  T'-st  by  blast 

next 

assume  T '-non- extends:  ->(3  T'  £  Prop.  T  <  T'  A  T'  £  P) 

{ 

fix  T'  assume  T'-extends-T:  T'  £  Prop  T  <  T' 
hence  T'  ^  P  using  T' -non-  extends  by  blast. 
hence  T'  (j  Safe  P 

proof  — 

have  3  T  £  Obs.  T  <  T'  A  (V  T'  £  Prop.  ->(T  <  T1)  \  (T1  P)) 

using  T-st  and  T'-extends-T  and  T' -non- extends  by  blast. 
hence  ->(V  M  £  Obs.  M  <  T'  — * 

(3  T"  £  Prop.  M  <  T"  A  T"  £  P)) 

by  blast 

thus  fthesis  using  (T'  £  Prop >  unfolding  Safe-def  by  blast. 

qed 

hence  T'  £  ( Prop  —  Safe  P)  using  (T'  £  Prop)  by  blast. 

} 

hence  all-pfx:  V  T'  £  Prop.  T  <  T'  — >  T'  £  Prop  —  Safe  P  by  simp 
show  3  T'  £  Prop.  T  <  T'  A  T'  £  Live  P 

proof 

let  ?T'  =  {aslnfinite  x  \  x.  x  £  T} 

have  T'-suff:  T  <  ?T'  using  aslnfinite- correctness  T-st. 

unfolding  trace- set- prefix- def  Obs-def  by  blast. 
have  T'-Prop:  ?T'  £  Prop  using  T-st  aslnfinite- correctness 
unfolding  Obs-def  Prop-def  by  blast 
from  T'-suff  and  T'-Prop  have  ?T'  £  Prop  —  Safe  P  using  all-pfx  by 

blast. 

with  T'-suff  and  T'-Prop  show  fthesis  unfolding  Live-def  by  blast. 

qed 
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qed 

} 

thus  fthesis  using  Live-HP  unfolding  Live-def  LHP-def  Ihp-def  by  blast 

qed 

5.2  Theorem 

theorem  theorem-3: 
fixes  P  ::  trace  set  set 
assumes  P-HP:  P  £  HP 
shows  3  S  £  SHP.  3  L  £  LHP.  F  =  SnL 

proof 

let  ?S  =  Safe  P  let  ?L  =  Live  P 

have  ?S  fl  ?L  =  (P  U  Safe  P)  fl  (P  U  ( Prop  —  Safe  P)) 
unfolding  Live-def  using  P-HP  P-subset-Safe-P  by  blast 
also  have  ( P  U  Safe  P)  fl  (P  U  ( Prop  —  Safe  P )) 

=  P  fl  ( Safe  P  U  ( Prop  —  Safe  P)) 
using  P-HP  unfolding  HP-def  by  blast 
also  have  P  n  ( Safe  P  U  ( Prop  —  Safe  P))  =  P  C 1  Prop 
unfolding  Safe-def  by  blast 

also  have  P  H  Prop  =  P  using  P-HP  unfolding  HP-def  by  blast 
finally  have  witness:  ?S  (~l  ?L  =  P  by  blast 

have  Safe- SHP:  Safe  P  £  SHP  using  Safe-is-hyper safety  P-HP  by  blast 
have  Live-LHP:  Live  P  £  LHP  using  Live-is-hyperliveness  P-HP  by  blast 

show  fthesis  using  Safe-SHP  Live-LHP  witness  by  blast 

qed 

6  Theorem  1 

6.1  Definitions  and  Lemmas 

constdefs 

Systems  ::  trace  set  set 

Systems  =  {ts.  ts  ^  0  A  ts  C  I'inf} 

refinedby  ::  trace  set  =>  trace  set  =>  bool  (infix  <  80) 

S  <  S'  =  S'  C  S 

rc  ::  hyperproperty  =>  bool 

rc  H  =  V  S  £  Systems.  S  f=  H  — * 

(V  S'  £  Systems.  S  <  S'  — ►  S'  \=  H) 

RC  ::  hyperproperty  set 
RC  =  {H  £  HP.  rc  H} 

axioms  safety-and-liveness-onlyif-true: 
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[  p  G  LP\  p  G  SP  ]  =>  p  =  true-Prop 

Any  property  which  is  both  safety  and  liveness  is  the  true  property.  This  is 
axiomatised  since  it  is  well-known  about  the  theory  of  properties. 

lemma  hypersafety-and-hyperliveness-onlyif-true : 
fixes  H  ::  hyperproperty 

assumes  H-SHP :  H  G  SHP  and  H-LHP:  H  G  LHP 
shows  H  =  true-HP 
proof  ( rule  ccontr) 

have  H-HP:  H  G  HP  using  H-SHP  unfolding  SHP-def  shp-def  by  blast 

{ 

assume  H-untrue :  H  ^  true-HP 

then  obtain  Tstar  where  Tstar-st:  Tstar  G  Prop  Tstar  H 
using  H-HP  unfolding  HP-def  true-HP-def  Prop-def  by  blast 
obtain  M  where  M-st:  M  G  Obs  M  <  Tstar 
V  T'  G  Prop.  M  <  T'  — >  T'  (£  H 
using  H-SHP  Tstar-st 
unfolding  SHP-def  shp-def  by  blast 
then  obtain  Th  where  Th-st:  Th  G  Prop  M  <  Th  Th  G  H 
using  H-LHP 

unfolding  LHP-def  Ihp-def  by  blast 
hence  Th  ^  H  using  (Th  G  Prop >  M-st  by  blast 
thus  False  using  Th-st  by  blast 

} 

qed 

lemma  hypersafety-and-hyperliveness-onlyif-true-contrapos : 
fixes  H  ::  hyperproperty 

shows  H  ±  true-HP  — >  (H  LHP  \  H  SHP) 

apply  ( insert  hypersafety-and-hyperliveness-onlyif-true  [of  H]) 

by  blast 

axioms  Ex-nontrue-Prop :  3  l  G  LP.  I  ^  true-Prop 

—  There  is  a  liveness  property  other  than  true.  This  is  axiomatised  since  it  is 
well-known  about  the  theory  of  properties. 

lemma  system-is-property: 
fixes  s  ::  trace  set 
assumes  s-Sys:  s  G  Systems 
shows  s  G  Prop 
using  s-Sys 

unfolding  Systems-def  Prop-def  by  blast 

lemma  HP- contains- SHP :  SHP  C  HP  unfolding  SHP -def  shp-def  by  blast 
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6.2  Theorem 


theorem  theorem- 1 -relaxed: 

shows  SHP  C  RC 
proof  ( rule  ccontr) 
assume  —  SHP  C  RC 

then  obtain  S  where  S-SHP:  S  £  SHP  and  S-not-RC:  S  (f  RC  by  blast 
have  S-HP:  S  £  HP  using  S-SHP  HP- contains- SHP  by  blast 
from  S-HP  and  S-not-RC 
obtain  T  T'  where  T-st:  T  £  Prop  T  £  S 
and  T'-st:  T’  £  Prop  T'  <£  S 
and  T-gt.-T’:  T  D  T’ 

unfolding  RC-def  rc-def  HP-def  Systems-def  Prop-def 
unfolding  refinedby-def  hyperproperty-satisfies-def 
by  blast 

from  T'-st  obtain  M 

where  M-st:  M  <  T'  (V  T"  £  Prop.  M  <  T"  — ►  T"  (£  S) 
using  S-SHP  unfolding  SHP-def  shp-def  by  blast 
have  M  <  T 

using  M-st  T-st  T'-st  T-gt.-T' 
unfolding  trace-set-prefix-def  by  blast 
hence  T  ^  S  using  T-st  M-st  by  blast 
thus  False  using  T-st  by  blast. 

qed 

theorem  theorem-1 :  SHP  C  RC 

proof 

show  SHP  C  RC  using  theorem- 1 -relaxed  by  assumption 
obtain  l  where  l-LP:  l  £  LP  and  l-untrue:  l  ^  true- Prop 
using  Ex-nontrue-Prop  by  blast. 
hence  cx-RC:  [/]  £  RC 

unfolding  property-lift-def  LP-def  Ip-def  RC-def  rc-def  Systems-def 
refinedby-def  HP-def  Prop-def  psi-inf-def  psi-fin-def 
hyperproperty-satisfies-def 
by  blast. 

from  l-untrue  have  [/]  ^  true-HP 
using  l-LP 

unfolding  LP-def  Ip-def  true-Prop-def  true-HP-def  property-lift-def 
psi-inf-def  Prop-def 

by  blast. 

hence  [/]  ^  SHP 
proof 

have  l  £  Prop  using  l-LP  unfolding  LP-def  Ip-def  by  blast. 
with  l-LP  have  [/]  £  LHP  using  proposition-2-oif  by  blast. 
thus  [/]  ^  SHP 
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using  ([l]  ^  true-HP) 

hypersafety-and-hyperliveness-onlyif-true-contrapos  by  blast 

qed 

thus  SHP  /  RC  using  cx-RC  by  blast 

qed 

7  Proposition  3 

7.1  Definitions  and  Lemmas 

constdefs 

Cls  ::  (' a  set  =>  ' a  set)  set 

Cls  =  {cl.  V  T  ::  'a  set.  T  C  cl  T} 

PIF  ::  hyperproperty  set 

PIF  4  {{Cl  T  |  T.  T  £  Prop}  \  Cl.  Cl  £  Cls} 

Isingle  ::  'a  =>  'a  Hist. 

Isingle  x  =  x##LNil 

hasDummyState  ::  trace  bool 

hasDummy State  t  =  3  t'.  t'@@{lsingle  DummyState)  <  t. 

GS  ::  trace  set 

GS  =  {t.  t  £  l' i„f  A  hasDummyState  £} 

The  guaranteed  service  property,  GS,  contains  infinite  traces  in  which  a  desig¬ 
nated  state  occurs.  This  definition  generalizes  GS  from  the  technical  report. 

axioms 

Cl-produces- Props:  [  T  £  Prop ;  Cl  £  Cls  ]  =>  Cl  T  £  Prop 
—  This  axiom  is  essentially  a  type  signature  on  closures.  It  is  axiomatised  because 
although  it  is  not  mentioned  in  the  technical  report,  it  is  required  for  Proposition 

3. 


EX-trace-sans-DummyState:  3  t.  £  Tinf.  -> hasDummyState  t 
—  There  is  an  infinite  trace  without  a  certain  state  (the  DummyState,  in  this 
case).  This  is  axiomatised  because  it  is  well-known  about  the  theory  of  properties. 


GS-liveness:  Ip  GS 

The  GS  property  is  a  liveness  property.  This  is  axiomatised  since  it  is  well- 
known. 
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lemma  GS-LHP:  [GS]  G  LHP 

proof  — 

have  GS  G  Prop  unfolding  Prop-def  GS-def  by  blast 

thus  fthesis  using  GS-liveness  proposition-2- oif  unfolding  LP-def  by  blast 

qed 

lemma  trace-set-prefix-expanding 
fixes  T  ::  trace  set 

assumes  T-st :  T  <  T'  and  T'-sub:  T'  C  T" 
shows  T  <  T" 

using  T-st  T'-sub  unfolding  trace-set-prefix-def  by  blast 

7.2  Proposition 

theorem  proposition- 3 -relaxed : 

shows  PIF  C  LHP 
proof 
{ 

fix  P  assume  P  G  PIF 

then  obtain  Cl-P  where  P-st :  P  =  {Cl-P  T  \  T.  T  G  Prop} 
and  Cl-P-closure:  Cl-P  G  Cls 
unfolding  PIF-def  by  blast 
have  P-HP:  P  G  HP 

proof 

{ 

fix  x  assume  x  G  P 

then  obtain  T  where  T-st :  x  =  Cl-P  T  T  G  Prop 
using  P-st  by  blast 

hence  x  G  Prop  using  Cl-P-closure  Cl-produces-Props  by  blast 

} 

thus  fthesis  unfolding  HP-def  by  blast 

qed 

{ 

fix  T  assume  T-Obs:  T  G  Obs 
have  3  T'  G  Prop.  T  <  T'  A  T'  G  P 

proof 

let  ?T-inf  =  {aslnfinite  t  \  t.  t  G  T} 
let  ?T'  =  Cl-P  ?T-inf 
have  T’ -suff:  T  <  ?T' 

proof 

have  Cl-P -monotonic:  f\  X .  X  C  Cl-P  X 
using  Cl-P-closure  unfolding  Cls-def  by  blast 
hence  Cl-P-prop:  ?T-inf  C  Cl-P  ?T-inf  by  auto 
have  T-pfx-T-inf :  T  <  ?T-inf 
using  T-Obs  aslnfinite- correctness 


17 


unfolding  Obs-def  trace-set-prefix-def  by  blast 
with  Cl-P-prop  show  fthesis 

apply  ( insert  trace-set-prefix-expanding '  [OF  T-pfx-T-inf  Cl-P-prop\) 
apply  assumption 

done 

qed 

have  ?T-inf  £  Prop  using  T-Obs  aslnfinite- correctness 
unfolding  Obs-def  Prop-def  by  blast 
hence  T'-P :  ?T'  €  P  using  P-st  by  blast 
have  T'-Prop:  ?T'  £  Prop 

using  < ?T-inf  €  Prop >  Cl-P-closure  Cl-produces-Props  by  blast 
with  <.?T'  £  P)  and  T '-suff  show  fthesis  by  blast  qed 

} 

hence  P  €  LHP  using  P-HP  unfolding  LHP-def  Ihp-def  by  blast 

} 

thus  PIF  C  LHP  by  blast 

qed 

theorem  proposition-3: 

shows  PIF  C  LHP 
proof 

show  PIF  C  LHP  using  proposition- 3-relaxed  . 
have  GS-lift-LHP:  [GS1]  £  LHP  by  ( simp  add:  GS-LHP) 
show  PIF  ft  LHP 
proof  ( rule  ccontr) 

{ 

assume  PIF  =  LHP 

hence  [G5]  €  PIF  using  GS-lift-LHP  by  simp 

then  obtain  CL-GS 

where  CL-GS-st:  [GS]  =  {CL-GS  T  \  T.  T  £  Prop} 
and  CL-GS-Cls:  CL-GS  £  Cls  unfolding  PIF-def  by  blast 

obtain  t, 

where  t-inftrace:  t  £  'I'inf 
and  t.-no- Dummy:  ->  hasDummy State  t 
using  EX-trace-sans-DummyState  by  blast 
hence  ts-Prop:  {t\  £  Prop  unfolding  Prop-def  by  blast 
have  t  £  CL-GS  {/}  using  CL-GS-Cls  unfolding  Cls-def  by  blast 
hence  ( CL-GS  {*}  \=  GS) 
using  t.-no-Dummy 

unfolding  property-satisfies-def  GS-def  by  blast 
hence  False  using  CL-GS-st 

using  ts-Prop  unfolding  property-satisfies-def  property-lift-def  by  blast 

} 

thus  -i  PIF  ft  LHP  =>  False  by  blast 

qed 
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qed 


8  Theorem  2 

8.1  Definitions  and  Lemmas 

We  represent  traces  over  the  alphabet  Ak  as  'a  llist  llist  where  'a  is  the  type 
of  elements  of  A.  That  is,  instead  of  using  ^-tuples,  we  use  llists  of  length  k. 

constdefs 

kshp  ::  nat  =>  hyperproperty  =>  bool 
kshp  k  S  = 

S  £  HP  A 

(V  T  £  Prop.  T  £  S  — » 

(3  M  £  Obs.  M  <  T  A  card  M  =  k  A 
(V  V  £  Prop.  M  <  T’  — >  T’  i  S ))) 

KSHP  ::  nat  =>  hyperproperty  set 
KSHP  k  4  {5.  kshp  k  S} 

fromSome  ::  'a  option  =>  'a 

fromSome  x  =  (case  x  of  Some  e  =>  e  |  A^one  =>  arbitrary) 

fromSomeSt  ::  state  option  =>  state 

fromSomeSt  x  =  (case  x  of  Some  s  =>  s  |  A^one  =>  _L) 

zipn  ::  nat  =>  (state  Hist)  Hist  =>  (state  llist)  Hist  =>  bool 
zipn  k  T  t  = 

V  j  ::  nat.  j  <  k  — >  t!!j  =  Some  (Imap  (At.  fromSomeSt  (t\\j))  T) 

—  The  zip  relation.  We  get  unzip  for  free. 

set-to-llist  ::  ' a  set  =>  'a  llist 
set-to-llist  S  =  SOME  l.  Iset  l  =  S 

Following  are  various  axioms  about  the  zip  operator.  Each  axiom  corre¬ 
sponds  to  an  unproved  fact  about  the  operator. 

axioms 

zip- of- Obs- exists: 

M  £  Obs  =>■  3  m.  zipn  k  (set-to-llist  M)  m 

Any  observation  can  be  zipped.  This  axiom  is  used  in  the  if  direction  of 
theorem  3. 

zip-EX-suffix : 

[Mg  Obs ;  S  £  Systems',  zipn  k  (set-to-llist  M)  m\  M  <  S  ] 

=>  3  s  £  kProd  k  S.  prefix-k  k  m  s 

—  There  is  a  suffix  Sk  to  any  zip  of  an  observation,  if  the  system  5  is  a  suffix  of 
the  observation. 
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zip-of-Obs-fin: 

[Me  Obs ;  zipn  k  ( set-to-llist  M)  m  ] 

=>  m  €  (E*)* 

Zipping  an  observation  produces  a  finite  trace  over  Efc. 

unzipped-recoverable : 
zipn  k  ( set-to-llist  M)  Mz 

=>  V  j<k.  3  m  £  M.  m  =  Imap  (At.  fromSome  Mz 

—  Every  member  from  an  unzipped  trace  set  corresponds  to  some  element  of  the 
zip. 

unzip-monotonic-wrt-prefix-k : 

[  zipn  k  ( set-to-llist  M)  Mz;  zipn  k  ( set-to-llist  T)  Tz ;  prefix-k  k  Mz  Tz  ] 

=>  M  <  Tl 

—  Unzipping  is  monotonic. 

constdefs 

noBot  ::  state  Hist  =>■  bool 

noBot  =  finlsts-rec  True  (A  s  r  b.  b  A  (s  ^  _L)) 

—  noBot  t  asserts  that  the  finite  trace  t  does  not  contain  _L. 

bottoms  ::  state  Hist  —  infinite  list  of  bottoms 
bottoms  =  leonst  _L 

prefix-bottom  ::  state  Hist  =>  state  Hist  =>  bool  (infix  <_l  60) 
t  <_l  u  =  3  tp.  noBot  tp  A  t  <  tp  @@  bottoms  A  tp  <  u 

—  Effectively  removes  the  bottoms  from  the  first  trace,  then  compares  it  to  the 
second. 

prefix-k  ::  ( state  Hist )  Hist  =>•  nat  =>  ( state  Hist)  Hist  =>  bool  (-  <_  -  60) 
t-k  nk 

'  - > 

( Imap  (At.  fromSome  ( t\\j ))  tk)  <_l  ( Imap  (At.  fromSome  ( t ! ! j ) )  Uk) 

—  The  input  traces  are  over  the  alphabet  Efe.  We  project  the  jth  position  of  each 
element,  which  creates  two  traces  each  with  state  elements,  and  compare  those  with 
prefix-bottom. 

State-K  ::  state  Hist  set 
State-K  =  E* 

TraceFin-K  ::  state  Hist  Hist  set 
TraceFin-K  =  State-K* 

Tracelnf-K  ::  state  Hist  Hist  set 
Tracelnf-K  =  State-K w 
Prop-K  ::  state  Hist  Hist  set  set 
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Prop-K  =  Pow  Tracelnf-K 

A  generic  definition  of  safety  which  takes  an  alphabet  as  a  parameter.  For 
theorem  2  we  require  reasoning  about  traces  over  S  and  T,k. 

constdefs 

spa  ::  nat  =>•  ( state  Hist)  Hist  set  =>  bool 
spa  k  P  =  P  £  Prop-K 

A  (V  t  €  Tracelnf-K .  t  £  P  — > 

(3  m  £  TraceFin-K .  m  <k  t  A 
(V  i'  £  Tracelnf-K .  m  <k  t'  — >  t'  £  P))) 

SPA  ::  nat  =A  ( state  Hist)  Hist  set  set 
SPA  k  =  {P.  spa  k  P} 

kProd  ::  nat  =>  state  Hist  set  =>  ( state  Hist)  Hist  set 
kProd  k  S  =  {t  €  Tracelnf-K .  3  S'  £  Systems. 

S'  C  S  A  card  S1  =  k  A  zipn  k  ( set-to-llist  S')  t} 

^-product  of  a  system  S. 

pa-satisfies  ::  'a  Hist  set  =>  ' a  Hist  set  =>■  bool  ((-  |=  -)  [80,80]  80) 
pa-satisfies-def:  ts  \=  p  =  ts  C  p 

-  Whether  a  set  of  traces  over  an  alphabet  'a  satisfies  a  property. 

KSP  ::  nat  =>  ( state  Hist)  Hist  set  set 
KSP  k  =  SPA  k 

Bads-from-KSaf  ::  nat  =>  hyperproperty  =>  trace  set  set 
Bads-from-KSaf  k  KK  = 

{M  £  Obs.  card  M  <  k 

A  (3  T  £  Prop.  T  <£  KK  A  M  <  T) 

A  (V  T'  £  Prop.  M  <  T'  — >  T'  ^  KK)  } 

—  Boldface  M  in  the  proof  of  theorem  2. 

Saf-from-KSaf  ::  nat  =>  hyperproperty  =>  ( state  Hist)  Hist  set 
Saf-from-KSaf  k  KK  = 

{t  £  Tracelnf-K . 

->(3  M  £  Obs.  3  tz  £  TraceFin-K. 

M  £  Bads-from-KSaf  k  KK  A  zipn  k  ( set-to-llist  M)  tz  A  tz  <k  t)} 

—  Boldface  K  in  the  proof  of  theorem  2. 

lemma  Saf-from-KSaf-is-safety: 
fixes  k  ::  nat 

assumes  KK-KSHP:  KK  £  KSHP  k 
shows  Saf-from-KSaf  k  KK  £  KSP  k 

proof  — 
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let  ?K  =  Saf-from-KSaf  k  KK 
have  Saf-from-KSaf-st :  ?K  £  Prop-K 
unfolding  Saf-from-KSaf-def  Tracelnf-K-def  State-K-def  Prop-K-def 
by  blast 
{  ‘ 

fix  t  assume  t-st:  t  £  Tracelnf-K  t  ?K 

then  have  3  M  £  Obs.  M  £  Bads-from-KSaf  k  KK 

A  (3  tz  £  TraceFin-K .  zipn  k  ( set-to -Hist  M)  tz  A  tz  <k  t) 
unfolding  Saf-from-KSaf-def  Tracelnf-K-def  TraceFin-K-def  State-K-def 
by  blast 

then  obtain  M  tz  where  M-tz-st: 

M  £  Obs 

M  £  Bads-from-KSaf  k  KK 
tz  £  TraceFin-K 
zipn  k  ( set-to-llist  M)  tz 
tz  <k  t 

by  blast 

{  ' 

fix  u  assume  u-st:  u  £  Tracelnf-K  tz  <k  u 
hence  u  ^  ?K  using  M-tz-st 

unfolding  Tracelnf-K-def  Saf-from-KSaf-def  State-K-def  by  blast 

} 

hence  3  tz  £  TraceFin-K . 

tz  <k  t  A  (V  u  £  Tracelnf-K .  tz  <k  u  — >  u  (f  Saf-from-KSaf  k  KK) 
using  M-tz-st  unfolding  TraceFin-K-def  Tracelnf-K-def  State-K-def 
by  blast 

} 

thus  ?K  £  KSP  k 

unfolding  KSP-def  SPA-def  spa-def  using  Saf-from-KSaf-st  by  blast 

qed 

lemma  trace-set-prefix-transitive : 
assumes  X-p-  Y:  X  <  Y  and  Y-p-Z :  Y  <  Z 
shows  X  <  Z 
proof— 

{ 

fix  x  assume  x  £  X 
then  obtain  y  where  y  £  Y  x  <  y 
using  X-p-Y  unfolding  trace-set-prefix-def  by  blast- 
then  obtain  z  where  z  £  Z  y  <  z 
using  Y-p-Z  unfolding  trace-set-prefix-def  by  blast- 
have  x  <  z  using  ix  <  y)  (y  <  z) 
by  ( rule  llist-le-trans  [of  x  y  z]) 
hence  3  z  £  Z .  x  <  z  using  (z  £  Z)  by  blast- 


22 


} 

thus  X  <  Z  unfolding  trace-set-prefix-def  by  blast 

qed 

8.2  Theorem 

theorem  theorem- 2- only  if : 
fixes  k  ::  nat 

assumes  S-Sys:  S  G  Systems  and  KK-KSHP :  KK  G  KSHP  k 

shows  3  Kg  KSP  k.  (( S  |=  (KK  ::  hyperproperty))  — >  (( kProd  k  S)  \=  K)) 

proof- 

let  ?K  =  Saf-from-KSaf  k  KK 
let  ?MM  =  Bads-from-KSaf  k  KK 
let  ?S-k  =  kProd  k  S 

have  K-is-safety:  ?K  G  KSP  k  using  KK-KSHP  by  (simp  add:  Saf-from-KSaf -is- safety) 

have  (S  \=  (KK  ::  hyperproperty))  — *  ((?S-k)  |=  ?K) 
proof  (ride  ccontr) 

{ 

assume  neg:  ->  (S  |=  (KK  ::  hyperproperty)  — ►  (?S-k)  |=  ?K) 
hence  S-Sat-KK:  S  |=  KK  by  blast 
have  S-k-Unsat:  ->  ((?S-k)  |=  ?K)  using  neg  by  blast 
have  S-in-KK:  S  G  KK 

using  S-Sat-KK  unfolding  hyperproperty-satisfies-def  . 
have  S-unsub-K:  ->  ?S-k  C  ?K  using  S-k-Unsat  unfolding  pa- satisfies- def  . 
then  obtain  t  where  t-st:  t  G  ?S-k  t  (j  ?K  by  blast 
hence  t  G  Tracelnf-K  unfolding  kProd-def  by  blast 
then  obtain  M  zip- M  where  M-zip-M-st:  M  G  Obs 
M  G  ?MM 

zipn  k  (set-to-llist  M)  zip-M 
zip-M  <k  t 

using  t-st  unfolding  Saf-from-KSaf- def  by  blast 
obtain  T  where  T-st:  zipn  k  (set-to-llist  T)  t 
T  G  Prop 
T  C  S 

using  (t  G  ?S-k )  unfolding  kProd-def  Systems- def  Prop- def  by  blast 
have  M-pfx-T:  M  <  T  using  < zipn  k  (set-to-llist  T)  t) 

< zipn  k  (set-to-llist  M)  zip-M > 

< zip-M  <k  t) 

by  (simp  add:  unzip-monotonic-wrt-prefix-k) 
hence  T  £  KK  using  <M  G  ?MM)  (T  G  Prop) 
unfolding  Bads-from-KSaf-def  by  blast 
have  T  <  S  using  T-st  S-Sys  (t  G  ?S-k) 
unfolding  trace-set-prefix-def  Systems-def  kProd-def  zipn-def 
by  blast 
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with  M-pfx-T  have  M-pfx-S :  M  <  S 
by  ( rule  trace-set-prefix-transitive  [of  M  T  5]) 

have  S  £  Prop  using  S-Sys  unfolding  Systems-def  Prop-def  by  blast 
have  S  ^  KK  using  M-zip-M-st  M-pfx-S  (S  £  Prop)  unfolding  Bads-from-KSaf-def 
by  blast 

with  S-in-KK  have  False  by  simp 

} 

thus  — i  (S'  )=  KK  — >  kProd  k  S  f=  ?K)  =>  False  by  assumption 

qed 

thus  3  K  £  KSP  k.  S  \=  KK  — >  kProd  k  S  \=  K 
using  K-is-safety  by  blast 

qed 

theorem  theorem-2-if : 
fixes  k  ::  nat 

assumes  S-Sys:  S  £  Systems  and  KK-KSHP :  KK  £  KSHP  k 

shows  3  K  £  KSP  k.  (((kProd  k  S)  \=  K)  — >  (S  |=  (KK  ::  hyperproperty))) 

proof- 

let  ?K  =  Saf-from-KSaf  k  KK 
let  ?M  =  Bads-from-KSaf  k  KK 
let  ?S-k  =  kProd  k  S 

have  K-is-safety :  ?K  £  KSP  k  using  KK-KSHP  by  (simp  add:  Saf-from-KSaf-is- safety) 
have  ((?S-k  |=  ?K)  — >  (S  |=  (KK  ::  hyperproperty))) 
proof  (rule  ccontr) 

{  assume  neg:  ((( ?S-k )  |=  ?K)  — >  (S  |=  (KK  ::  hyperproperty))) 

hence  ?S-k  C  ?K  unfolding  pa-satisfies-def  by  simp 
have  ->  (5  |=  KK)  using  neg  by  simp 

have  S  £  Prop  using  S-Sys  unfolding  Prop-def  Systems-def  by  blast 
hence  S  (j  KK  using  <-i  (S  \=  KK)) 
unfolding  hyperproperty-satisfies-def  by  simp 

hence 

3  M  £  Obs.  M  <  S  A  card  M  =  k  A 

(V  T'  £  Prop.  M  <  T'  — >  T'  i  KK) 
using  S  £  Prop)  KK-KSHP  unfolding  KSHP-def  kshp-def 
by  blast 

then  obtain  M  where  M-st :  M  <  S  card  M  =  k  M  £  Obs 
V  T'  £  Prop.  M  <  T'  — >  T'  £  KK  by  blast 
have  3  m.  zipn  k  (set-to-llist  M)  m 
using  < M  £  Obs)  by  (simp  add:  zip-of-Obs-exists  [of  M  k ]) 
then  obtain  m  where  m-st:  zipn  k  (set-to-llist  M)  m  by  blast 
obtain  s  where  s  £  ?S-k  m  <k  s 
using  < M  £  Obs)  (S  £  Systems)  m-st  < M  <  S) 
using  zip-EX-suffix  by  best 
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have  M  £  ?M  unfolding  Bads-from-KSaf-def  using  M-st  (S  £  Prop) 
by  blast 

have  m  £  TraceFin-K  unfolding  TraceFin-K-def 
using  m-st  (M  £  Obs)  zip-of-Obs-fin 
unfolding  zipn-def  State-K-def  Obs-def  psi-fin-def 
by  blast 

have  s  ?K  unfolding  Saf-from-KSaf-def 
using  (M  £  Obs)  (m  £  TraceFin-K )  < M  £  ?M)  < zipn  k  {set-to -Hist  M)  m) 
<m  <fc  s)  by  blast 

hence  -i  ?S-k  C  ?K  using  <s  £  ?S-k)  by  blast 

hence  False  using  {?S-k  C  ?K >  by  blast 

} 

thus  -i  ( kProd  k  S  \=  Saf-from-KSaf  k  KK  — *  S  |=  KK )  =>  False  by 
assumption 

qed 

thus  3  K  £  KSP  k.  kProd  k  S  \=  K  — >  S  \=  KK 
using  K-is-safety  by  blast 

qed 

end 
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